Risk Assessment Training and Coaching for medium size organizations with no risk management or internal audit functions who are nevertheless concerned about risk.

1. CME Inc – Business Improvement Through Risk Awareness – Risk Management Consulting
Why Is Risk Management Important?
Organizations that manage risk effectively are less likely to be
negatively affected by uncertainties and can turn many of them into
positive opportunities that better serve their clients because they
are better prepared for them in advance. Thus, being risk aware is
critical for success.
Organizations that plan for and manage risk enhance their
credibility with customers, donors, regulators, investors and the
communities they work with to achieve high impact results.
Boards have a fiduciary responsibility to manage their affairs
through effective governance with clear accountability for
achieving their strategic goals. Risk management needs to be a key
element of their responsibility.
How We Can Help
We will teach selected employees value-added risk management
techniques and tools. Below is an overview of the process. The
green line is how we teach and then workshop your employees
through a Risk Assessment process. The Red Line shows how they
apply that process to new risks they discover after we leave.
In most cases, there is one person facilitating the workshops.
However, when more specialization is required to supplement your
experts, additional people can be added. See our online partner
page.
The Process
This process is all about workshopping and collaboration.
Most of the time, we are working with the employees you
identified for this engagement in the same room. They are
subject matter experts on the topic we are discussing and
have brought their laptops or tablets with them so that they
can enter their individual thoughts into RISKID, the risk
identification collaboration software that I use.
First, we spend an hour going through the basics of risk
management, making sure there is a clear and common
baseline understanding of the terms we will be using in the
workshop, including: Risk, Cause, Effect, Likelihood, Impact,
Inherent Risk Rating, Control and Residual Risk Rating. We
use clear examples to illustrate all definitions.
In Step 1, Identify new risks, your employees are entering
risks they think are important into RISKID, which
consolidates them all into the facilitator’s account, and we
display them, anonymously, on the screen for
discussion. Anonymity promotes the likelihood of more
honest and forthright feedback from employees who may
lack the confidence to speak freely with managers in the
room. The discussion is all about understanding the risks,
discussing the concerns behind them, and adding potentially
new risks that come up because of the discussion.
In Step 2, Prioritizing risk, this same group is entering into
RISKID what they individually think the Likelihood and
Impact of each of the Step 1 Risks are, in absence of any
controls or strategies to mitigate them, to determine their
Inherent Risk Rating. RISKID automatically identifies those
scores where there isn't consensus, allowing for further
discussion and possibly refining the risk until we get to a
scoring for each one that the group agrees with.
A typical engagement will last 5 days, with Step 1 – 3
workshops occuring on Days 1 and 2.
e: cmccabe@risk-management.ca
CME Inc.
Business Improvement Through Risk Awareness
Risk Management Consulting
w: risk-management.ca

2. CME Inc – Business Improvement Through Risk Awareness – Risk Management Consulting
In Step 3, Evaluate how risks are managed, we identify controls
and strategies currently in place to manage those risks that have
a high Inherent Risk score (we're dealing with the most urgent
risks first). We'll then score those risks again, this time with
current controls in place, to determine the Residual Risk
Rating. Ideally, your Residual Risk Rating is lower than your
Inherent Risk Rating to a point that you are comfortable that
those risks are being properly managed within your
organization's risk tolerance.
In Step 4, Improve how risks are managed, we focus on those
risks whose Residual Risk Rating isn't low enough. In other
words, these are risks that need to be managed better than they
currently are. We will determine what the action plan is, who is
responsible for implementing it, and by when.
In Step 5, Report to the board, we will provide a summary
report to the board that shows the categories of risks identified,
how many risks within each category have High, Medium and
Low Inherent and Residual Risk Ratings, flag those risks whose
Residual Risk Ratings currently aren't low enough, and what the
plan is to resolve those situations.
This doesn't end the process. In this one session, we will not
have identified 100% of all the risks in your organization. We
will have started down that road but after we're done, your risk
aware employees will see new risks that we didn't previously
identify and evaluate them the same way we did above, either
on their own or with their colleagues. They can also go through
this process whenever there is a material change in the
organization. The only difference is that they will be updating
their own corporate Risk Register, which is a spreadsheet created
from RISKID during our session.
Charles McCabe, Principal
Charles McCabe is the Principal of CME Inc., a risk
management and special projects consultancy.
Charles is an experienced Risk Management Consultant and
Coach from both the context of Internal Controls, practiced by
Internal Auditors, and traditional Risk Management loss
prevention.
His experience with Internal Controls comes from being an
Internal Auditor at Canadian Pacific Ltd., Canadian Pacific
Railway and Canada Life Assurance Company, with a focus on
Operations & IT Audit, and Control Self Assessments.
He managed an Operations Risk Management function at
Canada Life Assurance Company, managing the risk of paying
Disability, Dental and Extended Health claims incorrectly. His
11-person team consolidated four regional practices into one
national practice and established national Quality Control,
Training, Anti-Fraud and Reporting functions.
A believer in Continuous Education, Charles is currently
studying to qualify for both the Certified Risk Management
Professional (CRMP) and Canadian Risk Management (CRM)
designations, issued by the Global Risk Management Institute
(GRMI). After 7 final exams at both the University and GRMI
level, he will have both designations by mid 2017.
CME Inc.’s partners are Abraxas International, Cambridge
Solutions, Dotfusion Digital Agency, PMC Inc., a division of
Optimus|SBR and Unicom Solutions. These firms allowing us
to bring extra experience to our workshops when more subject
matter depth is required.
We use RISKID as my primary tool to help me work with your staff and key employees through their first Risk Assessment because it
is a very effective workshopping and collaboration tool. Here is a brief video describing the product and how it interacts with the
process described above: http://www.youtube.com/watch?v=9c0kiv-F1o0
Case Study – Orangeville Food Bank
Orangeville Food Bank has served Orangeville, Ontario for over 20 years. It has
a Board of Directors, evolving from an Active model to a Governance Model, a
full time Executive Director and over 70 very dedicated volunteers.
During Step 1, Identify New Risks, we identified over 40 unique risks. Through
documents I was given in advance, I added about 10 more that I felt needed to
be part of this initial round. Working with the Executive Director and various
sub-committees, we documented existing controls for those Risks that had a High or Medium Inherent Risk Rating and identified
those risks which needed additional controls on the basis that the Residual Risk Score wasn’t low enough. What I found most
gratifying was the fact that new risks were continually being identified by board members and volunteers long after Step 1 was
complete, signalling to me they had truly become risk aware and thus placing Orangeville Food bank on a more secure path in
service delivery.
e: cmccabe@risk-management.ca
CME Inc.
Business Improvement Through Risk Awareness
Risk Management Consulting
w: risk-management.ca